I have 2fa activated for my admin account, but when I create a device session for mobile, it allows me to login without a using 2fa. I am curious for the reason for this.
Is this because when I log in with my device, it creates a trusted device? So that the password will only work in conjunction with that specific device?
The password is set-up once for an application and re-used automatically to access Nextcloud as it is required. The passwords are relatively long and random character strings so that they are difficult to guess.
It is not possible to log in to the web frontend with an app password so it gives no access to the administrative interfaces that can only be reached there.
You can also see all registered devices and when they were last active in the security tab of your personal settings. File access can also be prohibited there or a connection (which includes the used app password) can be revoked.
If a device with file access falls into wrong hands, you can also activate remote deletion, which will delete files that are already on the device.
To clarify, I am not attempting to log in to the web-interface with the app password: I am attempting use the app-password to log in to the Nextcloud mobile app so I can sync my calendar, tasks, and notes.
My main concern is the security of logging in to my Nextcloud account via my phone: I worry about accidentally leaking my log in credentials.
When I asked if the app-password can only be used once, my goal is to understand if the same app-password can be used to access my account through multiple mobile devices.
Is it possible to use the same app-password on multiple devices?
I’m not a 100% sure whether multiple applications can use the same app password at the same time, but they can defintely be re-used after reinstalling an app, which leads me to the assumtion that the former would probably work as well (did not test it).
So, in theory, using app passwords reduces the overall security of an account, at least a little bit. However, as long as you don’t use them on a compromised device that sends your clipboard or keystrokes to a command-and-control server while setting up the app in question, you should be fine.
Bruteforce attacks are definetly a non-issue in this context becuase the app passwords are too strong.